The Hacker News — Cyber Security, Hacking, Technology News

LinkedIn's 2012 data breach was much worse than anybody first thought.

In 2012, LinkedIn suffered a massive data breach in which more than 6 Million users accounts login details, including encrypted passwords, were posted online by a Russian hacker.

Now, it turns out that it was not just 6 Million users who got their login details stolen.

Latest reports emerged that the 2012's LinkedIn data breach may have resulted in the online sale of sensitive account information, including emails and passwords, of about 117 Million LinkedIn users.

Almost after 4 years, a hacker under the nickname "Peace" is offering for sale what he/she claims to be the database of 167 Million emails and hashed passwords, which included 117 Million already cracked passwords, belonging to LinkedIn users.

The hacker, who is selling the stolen data on the illegal Dark Web marketplace "The Real Deal" for 5 Bitcoins (roughly $2,200), has spoken to Motherboard, confirming these logins come from the 2012 data breach.

Since the passwords have been initially encrypted with the SHA1 algorithm, with "no salt," it just took 'LeakedSource', the paid search engine for hacked data, 72 hours to crack roughly 90% of the passwords.

Troy Hunt, an independent researcher who operates "Have I Been Pwned?" site, reached out to a number of the victims who confirmed to Hunt that the leaked credentials were legitimate.

The whole incident proved that LinkedIn stored your passwords in an insecure way and that the company did not make it known exactly how widespread the data breach was at the time.

In response to this incident, a LinkedIn spokesperson informs that the company is investigating the matter.

In 2015, Linkedin also agreed to settle a class-action lawsuit over 2012's security breach by paying a total of $1.25 million to victims in the U.S, means $50 to each of them.

According to the lawsuit, the company violated its privacy policy and an agreement with premium subscribers that promised it would keep their personal information safe.

However, now new reports suggest that a total 167 Million LinkedIn accounts were breached, instead of just 6 million.

Assuming, if at least 30% of hacked LinkedIn Accounts belongs to Americans, then the company has to pay more than $15 Million.

Meanwhile, I recommend you to change your passwords (and keep a longer and stronger one this time) and enable two-factor authentication for your LinkedIn accounts as soon as possible. Also, do the same for other online accounts if you are using same passwords on multiple sites.

Last month, when hackers leaked nearly 100 gigabytes of sensitive data belonging to the popular online casual sex and marriage affair website 'Ashley Madison', there was at least one thing in favor of 37 Million cheaters that their Passwords were encrypted.

But, the never ending saga of Ashley Madison hack could now definitely hit the cheaters hard, because a group of crazy Password Cracking Group, which calls itself CynoSure Prime, has cracked more than 11 Million user passwords just in the past 10 days, not years.

Yes, the hashed passwords that were previously thought to be cryptographically protected using Bcrypt, have now been cracked successfully.

Bcrypt is a cryptographic algorithm that makes the hashing process so slow that it would literally take centuries to brute-force all of the Ashley Madison account passwords.

How do they Crack Passwords?

The Password cracking team identified a weakness after reviewing the leaked data, which included users' hashed passwords, executive e-mails and website source code.

During website's source code audit and analysis, the team found that some of the login tokens used by the website were protected using MD5 (a weak and fast hashing algorithm).

So, instead of cracking the slow Bcrypt algorithm, they simply brute-forced the MD5 tokens of respective accounts, which allowed the Password Cracking team to effectively obtain 11.2 Million passwords in plaintext format.

Be careful while leaving your important and valuable stuff in your lockers. A 3D printed robot has arrived that can crack a combination lock in as little as 30 seconds.

So, it’s time to ditch your modern combination locks and started keeping your valuable things in a good old-fashioned locker with keys.

A well-known California hacker Samy Kamkar who is expert in cracking locks has built a 3D-printed machine, calling his gadget the "Combo Breaker," that can crack Master Lock combination padlocks – used on hundreds of thousands of school lockers – in less than 30 seconds.

A couple of weeks ago, Kamkar introduced the world how a manufacturing flaw in Master Lock combination locks can easily reveal the full combination by carefully measuring the dial interaction with the shackle in eight or fewer attempts.

However, it requires some software and things to do, and who has that much of time?

So to make it simple for everyone – On Thursday, the hacker showed a wonderful DIY on how anyone can build an electronic device, Combo Breaker, which applies the technique automatically and can achieve the same result in about 30 seconds.

"The machine pretty much brute forces the lock for you," says Kamkar. "You attach it, leave it, and it does its thing."

Kamkar posted a step-by-step video on how to assemble the $100 worth of parts to create your own Combo Breaker.

The necessary hardware includes a 3D printer to create the frame, the stepper driver and motor, Arduino Nano microprocessor, a 500mAh 3S battery, voltage regulators, an analog feedback servo and a breadboard and wires. All components are readily available online.

The hacker has also released the plans, 3D models, and code of Combo Breaker online for free as open source.

Kamkar is the same security researcher who developed a cheap Arduino-based Keylogger for Wireless Keyboards called KeySweeper few months ago that sniffs, decrypts, logs, and reports back all keystrokes from a Microsoft wireless keyboard.